SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000038840
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
The test connection to RSA Authentication Manager fails while configuring LDAPS with the following error:
KeyUsage does not allow digital signatures
Cause
The /opt/rsa/am/server/logs/imsTrace.log shows that a field Key Usage has been created and added value of Data Encipherment (20) which is causing the test connection to fail.
2020-04-09 11:48:47,652, [[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'], (LDAPConnectionTesterImpl.java:231), trace.com.rsa.ims.ldapslotmgt.impl.LDAPConnectionTesterImpl, ERROR, 2k8r2-dc1.2k8r2-vcloud.local,,,,LDAP Server connection test failed
javax.naming.CommunicationException: 10.232.0.195:636 [Root exception is javax.net.ssl.SSLException: Certificate not verified.]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
javax.naming.CommunicationException: 10.232.0.195:636 [Root exception is javax.net.ssl.SSLException: Certificate not verified.]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:70)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:1)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Certificate not verified.
at com.rsa.sslj.x.aI.b(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.ap.c(Unknown Source)
at com.rsa.sslj.x.ap.a(Unknown Source)
at com.rsa.sslj.x.ap.j(Unknown Source)
at com.rsa.sslj.x.ap.i(Unknown Source)
at com.rsa.sslj.x.ap.h(Unknown Source)
at com.rsa.sslj.x.aT.startHandshake(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:393)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
... 18 more
Caused by: com.rsa.sslj.x.aL: Certificate not verified.
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:70)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:1)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Certificate not verified.
at com.rsa.sslj.x.aI.b(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.ap.c(Unknown Source)
at com.rsa.sslj.x.ap.a(Unknown Source)
at com.rsa.sslj.x.ap.j(Unknown Source)
at com.rsa.sslj.x.ap.i(Unknown Source)
at com.rsa.sslj.x.ap.h(Unknown Source)
at com.rsa.sslj.x.aT.startHandshake(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:393)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
... 18 more
Caused by: com.rsa.sslj.x.aL: Certificate not verified.
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)
... 28 more
Caused by: java.security.cert.CertificateException: KeyUsage does not allow digital signatures
Caused by: java.security.cert.CertificateException: KeyUsage does not allow digital signatures
at com.rsa.sslj.x.ck.checkServerTrusted(Unknown Source)
at com.rsa.sslj.x.aF.a(Unknown Source)
at com.rsa.sslj.x.aF.a(Unknown Source)
... 31 more
Resolution
Remove the key usage field from the certificate or add the digital signature to it, along with Data Encipherment to resolve the issue. FOllow the steps below:
Image description
- Review the certificate and under the Details tab, check the Key Usage attribute.
Image description- The certificate should be generated to include Digital Signature which was missing in the LDAPS certificate.
- Reissue the certificate with Digital Certificate Signature included in the Key Usage field. It can now be imported into the RSA Authentication Manager Operations Console.
- LDAPS test connection over port 636 works as expected.
In this article
